Application servers, such as virtual private network gateway servers, restrict access by performing user authentication. In one conventional arrangement, the application server delegates responsibility for the authentication to a remote authentication server (e.g., a username/password authentication server) by sending an access request message to the remote authentication server. In another arrangement, after the remote authentication server authenticates the user, the application server initiates supplemental authentication by sending a second access request message to a second remote authentication server or a proxy device.